Profile Applicability:
Level 1
Description:
Before merging new code into the main or protected branches, all configured automated checks—such as continuous integration (CI) builds, unit tests, security scans, and code quality analyses—must successfully complete. This control helps ensure that only code meeting quality and security standards is integrated into the codebase.
Rationale:
Requiring all checks to pass before merging prevents broken builds, security vulnerabilities, and code defects from entering production or shared branches. It promotes stable software releases, reduces the risk of downtime or regressions, and supports compliance with development best practices and security policies.
Impact:
Pros:
Improves code quality and stability.
Prevents introduction of defects and vulnerabilities.
Encourages automated testing and continuous integration.
Supports compliance and audit readiness.
Cons:
May delay merges if tests take significant time.
Requires maintaining reliable and comprehensive automated checks.
Default value:
By default, some repositories may allow merging even if checks have failed or are incomplete.
Audit:
Review repository or pull request settings to confirm enforcement of required status checks. Verify historical merge records for compliance with passing checks.
Remediation:
Configure branch protection rules to enforce passing status checks before merging. Educate development teams on the importance of passing checks. Regularly update and maintain automated test suites and CI pipelines.
References:
GitHub Branch Protection Rules: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-protected-branches
GitLab Merge Request Pipelines: https://docs.gitlab.com/ee/ci/pipelines/
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/